HP Security Study Finds Internal Defenses Lacking

Apparently spending more money on security doesn't necessarily mean an enterprise is actually more secure, HP's State of the Network Security survey finds.

According to Hewlett-Packard's new State of the Network Security survey, many organizations are not taking internal threats as seriously as they should.
The study found that 70 percent of attacks inside of a network come from systems that had been compromised by some form of malware.
"This means that corporate networks are already infected with malware in many cases," Jennifer Ellard, director of network security product marketing for HP Enterprise Security Products, told eWEEK.
Ellard added that organizations are dedicating more time and resources trying to prevent intrusion, when many are already infected. She noted that there is a need to help organizations not only block intrusion but remediate infection, which will increase their security posture and better optimize network bandwidth.

The survey did not ask for a specific breakdown of the actual percentage of attacks that are coming from external versus internal sources. That said, survey respondents were asked about areas of concern. Ellard said that 71 percent of respondents indicated that they are very concerned with external threats, while only 46 percent of respondents indicated strong concern for internal threats.

In terms of the types of attacks enterprises experience the most, phishing was cited as a key concern, with 69 percent of respondents indicating that they see phishing attacks at least once a week.
The attacks against enterprises continue despite the fact that organizations are spending sizable amounts of money on security. The study reported that respondents spend an average of $2.6 million a year on security. Ellard said that survey respondents indicated that approximately 24 percent of their network security budget goes toward intrusion prevention systems (IPSes), approximately 20 percent toward Next Generation Firewall (NGFW) technology and approximately 19 percent toward protecting against advanced persistent threats (APTs) and malware. Organizations are spending 16 percent of their total security spending on URL filtering and only 3 percent on virtual private network (VPN) protection.
Ellard said that many of the results validated concerns that HP had been hearing from its customers, but some of the results were surprising.
"It was interesting to see that companies who spend more on network security see more problems than those who spend less," she said.
Ellard also said that she was surprised about the security attitudes around the bring-your-own-device (BYOD) trend. She noted that only 43 percent of the respondents indicated that they are very concerned with BYOD, which is lower than expected.
"BYOD has been a significant driver in changes to the network perimeter and has greatly expanded the attack surface, causing new concerns for IT professionals to address," Ellard said.
Overall, according to Ellard, the big takeaway from the study is that it's important to ensure that enterprises are spending network security budgets on the right things.
"For example, if phishing attacks are coming through multiple times each week, an intrusion prevention system should be in place to ensure those attacks are blocked," she said. "A layered approach to security is very important because hackers are getting savvier and it's inevitable that some threats will penetrate the network."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.